Use PowerShell SecureString with Windows System Account

This solution creates an encrypted password through the Windows System Account and saves it to a text file. It allows you to remove clear text passwords from a PowerShell script you may have running on a schedule under the System Account and use the encrypted password instead. The password can only be decrypted under the account that originally encrypted the password, which in this case would be the System Account.

This is more of a workaround as I could not find a way to run a command in PowerShell without some sort of add-ins. I also did not want to just store the key for the encrypted password in plain text anywhere. The script creates a scheduled task under the System Account that runs a command to encrypt the password you enter and stores it in a text file.
You can use the encrypted password in this file to securely pass credentials in another script for an account if needed - as long as that script is also run under the System Account.

NOTE: Make sure you run the script as an administrator

Source Code

This script has not been checked by Spiceworks. Please understand the risks before using it.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

<#
AUTHOR: Keith Francis
Description: This script creates a scheduled task under the system account and runs a command to create a text file with an encrypted password.
Since this password is encrypted using the system account, only tasks run under the System account that use this text file for the
password will be able to decrypt this password. No other account can decrypt it. This way, the password is stored securely and not
in plain text in a powershell script. The encrypted password can be used to, for example, authenticate an email account that may be
used in a PS script that sends emails. I could not find another way to run a command under the system account in PowerShell so creating
a scheduled task and running it there under the system account will have to do
#>
#Task name. Call it whatever you want
$taskName = "Create Secure Email Password"
#This is the path and name where the encrypted password will be stored in a text file
$filePath = "C:\SecureFolder\"
$fileName = "EncryptedPass.txt"
#Create the filePath if it does not exist
New-Item -ItemType Directory -Force -Path $filePath
$fullPath = $filePath + $fileName
#This is the password you are trying to encrypt. Doing -AsSecureString so that it doesn't show the password when you type it
$password = Read-Host -Prompt "Enter password" -AsSecureString
#Convert the password back to plain text
$password = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))
#Remove task with the name "Create Secure Email Password" if it already exists
$task = Get-ScheduledTask | Where-Object {$_.TaskName -like $taskName}
if (![string]::IsNullOrWhiteSpace($task))
{
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false
}
#Create the action for the scheduled task. It will run powershell and execute the command specified below
$action = New-ScheduledTaskAction -Execute 'Powershell.exe' `
-Argument "-command &{'$password' | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString | Out-File $fullPath}"
#Register Scheduled task and then run it once to create the text file with the encrypted password
Register-ScheduledTask -Action $action -TaskName $taskName -Description "Creates a text file with the encrypted email password" -User "System" -RunLevel Highest
Start-ScheduledTask -TaskName $taskName
#Remove the task after it is run
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false
<#
To get the password and use it somewhere like emailing, for example, use the Get-Content command to get the string from the text file
and convert it to SecureString. See the sample code below to see how to do this:
**********************************************************************************
$email = "someone@example.com"
$pass = Get-Content "C:\SecureFolder\EncryptedPass.txt" | ConvertTo-SecureString
$emailCredential = New-Object System.Net.NetworkCredential($email, $pass)
**********************************************************************************
#>